XSS vulnerability in CMFDiffTool

Summary:
Vulnerability type:
Cross Site Scripting
Details:
When editing content items, a history of previous versions can be kept. The tool that is used to show the differences between two versions may be tricked into showing script tags unescaped, which are then executed.
Current status:
Hotfixed. We override the inline_diff method of various classes in Products.CMFDiffTool. For these methods you get a patched version of the code from version 3.3.2. This may contain more fixes or features than are available in the version that your site currently uses. Care has been taken that this should work for all CMFDiffTool versions that are used officially in Plone 4.3.0 or higher.
Date reported:
May 27, 2020
Date patched:
May 18, 2021
Reported by:
Igor Margitich
Fixed by:
Plone Security Team
Coordinated by:
Plone Security Team
CVE Identifier:
CVE-2021-33513
Affected Plone versions:
5.2.4, 5.2.3, 5.2.2, 5.2.1, 5.2.0, 5.1rc2, 5.1rc1, 5.1b4, 5.1b3, 5.1b2, 5.1a2, 5.1a1, 5.1.7, 5.1.6, 5.1.5, 5.1.4, 5.1.2, 5.1.1, 5.1, 5.0rc3, 5.0rc2, 5.0rc1, 5.0.9, 5.0.8, 5.0.7, 5.0.6, 5.0.5, 5.0.4, 5.0.3, 5.0.2, 5.0.10, 5.0.1, 5.0, 4.3.9, 4.3.8, 4.3.7, 4.3.6, 4.3.5, 4.3.4, 4.3.3, 4.3.20, 4.3.2, 4.3.19, 4.3.18, 4.3.17, 4.3.15, 4.3.14, 4.3.12, 4.3.11, 4.3.10, 4.3.1, 4.3

CVSS Scoring

Access Vector:
Network
Access Complexity:
High
Authentication:
Single
Confidentiality Impact:
Partial
Integrity Impact:
Partial
Availability Impact:
None
;
This site uses cookies
For this website we use cookies for anonymous analytics gathering and show external content. You can also enable third parties independently.